Adding two-factor authentication to Twitter is long overdue. By the time it arrives, however, it still won't be enough to block the type of phishing attack that the Syrian Electronic Army reportedly used to compromise AP, among other types of attacks. "In the case of a phishing message, two-factor authentication would not eliminate the problem," Mark Risher, CEO of social media security startup Impermium, toldThe New York Times. "There are ways to circumvent this. I could create a fake Web page for Twitter and ask you to enter your user credentials." Then an attacker could use the real username, password and one-time code to access the targeted account.

Twitter's current security posture -- or lack thereof -- may reflect its less-is-more approach to collecting information about its users or sharing it. "To its credit, the data privacy advocates like it because it doesn't track much," said Sean Sullivan, security advisor at F-Secure Labs, speaking by phone. But this lightweight approach has downsides, for example when it comes to repelling account takeover artists. "It doesn't say, we've never seen Syrian IP addressees used to log into this account before, so we're going to block it," Sullivan said.

For comparison's sake, Facebook offers hierarchical admin roles -- so not everyone able to access a Facebook account has the right to add or change other accounts or passwords -- and it also watches for log-ins from unknown locations, based on IP address ranges. Try to log in from Syria for the first time, and even if you get the password right, certain aspects of account administration, such as being able to see your security question settings, may be disabled, so long as you're using a machine that hasn't yet been verified via an email to the address you have on file. Account holders can view active sessions -- including devices that have been used to log into the account, and log-in times -- and disable any of these sessions.

Why hasn't Twitter added similar features? "Honestly, if they created something like Twitter Pro, AP would pay for that, and they'd opt into that logging, and their accounts would be protected," said Sullivan. "And of course you don't scale that to all users, because they don't all need that."

For many people, Twitter's just a bit of fun -- a free service for channeling wit and wisdom in 140 characters or less. But then again, this isn't some local, dial-up BBS used by a few thousand people, with members inclined to laugh off defacements and hoaxes. Instead, it's become a global communications system for disseminating information about everything from Boston bombing lockdowns and disaster warnings to reporting customer service issues and public emergencies.

As more people come to rely on this system, it's time for Twitter to secure accordingly.

I agree with the points made in the article but to say two-factor is a waste of time is crazy...it's one measure they needed to deploy to harden their security profile... Phishing and more so Spear Phishing can be prevented with a combination of security policy and Education....the comment Mike made below is spot on regarding malware...once infected, the hacker is considered a 'trusted user' and can cause harm via breach, etc.... focus on Malware Prevention via Global Intelligence and an in-depth security posture instead of a press release around two-factor. Seems like a marketing announcement to put their users at ease which, in-turn, will cause more harm to end users.... My two cents

Our latest survey shows growing demand, fixed budgets, and good reason why resellers and vendors must fight to remain relevant. One thing's for sure: The data center is poised for a wild ride, and no one wants to be left behind.